topic Re: How do I verify Threat Emulation is working? in Firewall and Security Management

How do I verify Threat Emulation is working?

PhoneBoy — Fri, 22 Mar 2019 03:06:06 GMT

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working:

Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

Anti-Virus Test -- Downloads the standard EICAR AV test file
Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.

Re: How do I verify Threat Emulation is working?

KennyManrique — Fri, 22 Mar 2019 13:06:30 GMT

Thanks for the test tip, Dameon!

Also CP's CheckMe is a good option for this http://www.cpcheckme.com/checkme/

Regards,

Re: How do I verify Threat Emulation is working?

PhoneBoy — Fri, 22 Mar 2019 13:19:49 GMT

Also a good test.

Re: How do I verify Threat Emulation is working?

chico — Fri, 27 Sep 2019 09:33:30 GMT

Hello,

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

Regards,

Miguel

Re: How do I verify Threat Emulation is working?

FedericoMeiners — Fri, 27 Sep 2019 12:22:05 GMT

@miguel

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps

Re: How do I verify Threat Emulation is working?

chico — Fri, 27 Sep 2019 13:34:07 GMT

Hi,

Thanks you for reply,

Ha yes I understood, in the threat emulation, the document is emulated in various OS systems to check if there are abnormal behaviors. Effectively ICAR doesn't do anything it's a simply signature...so it's detected by the anti-virus signature.

Thank you for the link.

Re: How do I verify Threat Emulation is working?

Herold — Thu, 20 Feb 2020 16:35:41 GMT

Hi,
The link to the Threat Emulation test file is now working. Was the path changed?
http://poc-files.threat-cloud.com/demo/demo.doc

Re: How do I verify Threat Emulation is working?

PhoneBoy — Thu, 20 Feb 2020 20:32:36 GMT

Looks like the same path I provided above?

Re: How do I verify Threat Emulation is working?

Herold — Thu, 20 Feb 2020 23:14:23 GMT

Yes, it's exactly the one you provided. But it seems it doesn't work as i'm getting an "internal server error" when i click on it. Is there another link?

Re: How do I verify Threat Emulation is working?

PhoneBoy — Fri, 21 Feb 2020 01:47:59 GMT

Not as far as I know.
I checked the link and it appears to be working for me.

Re: How do I verify Threat Emulation is working?

Herold — Fri, 21 Feb 2020 17:06:33 GMT

When I tried, i get the following message: "Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for
details.
Faithfully yours, nginx."

Re: How do I verify Threat Emulation is working?

PhoneBoy — Fri, 21 Feb 2020 18:53:55 GMT

Hm... you're right.
I see that when I try from a system that isn't connected to our VPN that it fails.
I've reported it internally...should get fixed soon.

Re: How do I verify Threat Emulation is working?

Gaurav_Pandya — Fri, 28 Feb 2020 11:50:45 GMT

Is it compulsory to enable https inspection and MTA for Threat emulation blade? If I enable threat emulation like inline mode than does it scan files downloaded from websites?

Re: How do I verify Threat Emulation is working?

PhoneBoy — Fri, 28 Feb 2020 18:48:19 GMT

It's not necessarily compulsory, but it's highly recommended.
With the majority of traffic being HTTPS and the browser manufacturers continuing to force the issue, without it, you'll be blind to more and more threats.
Threat Emulation can work inline--Threat Extraction can as well from R80.30.
For email, TLS is becoming more prevalent and the only way to scan email for threats is to run in MTA mode.

Re: How do I verify Threat Emulation is working?

Gaurav_Pandya — Mon, 02 Mar 2020 14:31:49 GMT

Thanks.